This is the second part of a two part series on building the Salesforce sharing model into your Einstein Analytics DataFlow. I would recommend that you check out Part I here before reading further.
In the first part of this series I laid out a method to add all of the information that you would need to recreate most of the Salesforce security model into your DataFlow. The focus of this post will be to take this model and write a security predicate that you can apply to a dataset to control row level access.
So how’s it done?
I could just paste the entire logical statement in one blob of text for you to copy, but I don’t think it will be as helpful as walking through it and making sure you understand what each part is doing. But if you just want the statement in its entirety I will include it at the bottom of the post.
The first statement in the predicate will deal with the case of an individual user receiving access to the Opportunity record. The first part being the user ID’s that have access to the record and the second part being the managing roles for all those users who also inherit access.
'UserShare.User.Id' == "$User.Id" || 'UserShare.User.Role.Roles' == "$User.UserRoleId"
Then we need to build in the check for if the user trying to access the record has been given access because of their role, or one of the roles below them has been given access to the opportunity record directly via a sharing rule.
'RoleShare.Group.RelatedId' == "$User.UserRoleId" || 'RoleShare.Role.Roles' == "$User.UserRoleId"
Next, dealing with record access through group sharing. Specifically, users who are within a group being granted record access. This will deal with sharing being granted to the managers as well.
'GroupMembersWithBosses.GroupHaveBosses.User.Role.Roles' == "$User.UserRoleId" || 'GroupMembersWithBosses.GroupHaveBosses.User.Id' == "$User.Id"
Next the case where access was granted through group sharing with a user and they don’t want it shared with their manager.
'GroupMemberNoBoss.GroupMemberWithoutBosses.User.Id' == "$User.Id"
Then we move on to the users who gain access to a record because of a role within a group. The first part of this statement will be when access is granted to the role as well as the managing roles above it. The second part of the statement will be for when they are granted access to a role, but access is not given to the managing roles.
'GroupMemberRolesWithBosses.GroupMemberRoles.SubGroup.Role.Roles' == "$User.UserRoleId" || 'GroupMemberRolesNoBosses.GroupMemberRoles.SubGroup.Role.Id' == "$User.UserRoleId"
All of the Salesforce sharing cases, as specified in part I of this series of posts, will be covered in the above predicate statements. Again, this was built specifically around Opportunity access but the overall algorithm can be applied to any object you wish to control sharing for in this manner.
And finally, here is the security predicate in its entirety.
'GroupMembersWithBosses.GroupHaveBosses.User.Role.Roles' == "$User.UserRoleId" || 'GroupMembersWithBosses.GroupHaveBosses.User.Id' == "$User.Id" || 'GroupMemberNoBoss.GroupMemberWithoutBosses.User.Id' == "$User.Id" || 'UserShare.User.Id' == "$User.Id" || 'UserShare.User.Role.Roles' == "$User.UserRoleId" || 'RoleShare.Group.RelatedId' == "$User.UserRoleId" || 'RoleShare.Role.Roles' == "$User.UserRoleId" || 'GroupMemberRolesWithBosses.GroupMemberRoles.SubGroup.Role.Roles' == "$User.UserRoleId" || 'GroupMemberRolesNoBosses.GroupMemberRoles.SubGroup.Role.Id' == "$User.UserRoleId"
Happy Coding!
DSMMasterful 
One thought on “Building Salesforce Sharing Model Into Einstein Analytics DataFlow Part II”